2 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 29 Negotiate Authenticator */
11 /* The functions in this file handle authentication.
12 * They DO NOT perform access control or auditing.
13 * See acl.c for access control and client_side.c for auditing */
16 #include "auth/Gadgets.h"
17 #include "auth/negotiate/Config.h"
18 #include "auth/negotiate/Scheme.h"
19 #include "auth/negotiate/User.h"
20 #include "auth/negotiate/UserRequest.h"
21 #include "auth/State.h"
23 #include "client_side.h"
25 #include "http/Stream.h"
26 #include "HttpHeaderTools.h"
27 #include "HttpReply.h"
28 #include "HttpRequest.h"
29 #include "mgr/Registration.h"
30 #include "SquidTime.h"
35 \defgroup AuthNegotiateInternal Negotiate Authenticator Internals
36 \ingroup AuthNegotiateAPI
39 /* Negotiate Scheme */
40 static AUTHSSTATS authenticateNegotiateStats
;
42 /// \ingroup AuthNegotiateInternal
43 statefulhelper
*negotiateauthenticators
= NULL
;
45 /// \ingroup AuthNegotiateInternal
46 static int authnegotiate_initialised
= 0;
48 /// \ingroup AuthNegotiateInternal
49 static hash_table
*proxy_auth_cache
= NULL
;
52 Auth::Negotiate::Config::rotateHelpers()
54 /* schedule closure of existing helpers */
55 if (negotiateauthenticators
) {
56 helperStatefulShutdown(negotiateauthenticators
);
59 /* NP: dynamic helper restart will ensure they start up again as needed. */
63 Auth::Negotiate::Config::done()
67 authnegotiate_initialised
= 0;
69 if (negotiateauthenticators
) {
70 helperStatefulShutdown(negotiateauthenticators
);
76 delete negotiateauthenticators
;
77 negotiateauthenticators
= NULL
;
79 if (authenticateProgram
)
80 wordlistDestroy(&authenticateProgram
);
82 debugs(29, DBG_IMPORTANT
, "Reconfigure: Negotiate authentication configuration cleared.");
86 Auth::Negotiate::Config::dump(StoreEntry
* entry
, const char *name
, Auth::Config
* scheme
) const
88 if (!Auth::Config::dump(entry
, name
, scheme
))
91 storeAppendPrintf(entry
, "%s negotiate keep_alive %s\n", name
, keep_alive
? "on" : "off");
95 Auth::Negotiate::Config::Config() : keep_alive(1)
99 Auth::Negotiate::Config::parse(Auth::Config
* scheme
, int n_configured
, char *param_str
)
101 if (strcmp(param_str
, "program") == 0) {
102 if (authenticateProgram
)
103 wordlistDestroy(&authenticateProgram
);
105 parse_wordlist(&authenticateProgram
);
107 requirePathnameExists("auth_param negotiate program", authenticateProgram
->key
);
108 } else if (strcmp(param_str
, "keep_alive") == 0) {
109 parse_onoff(&keep_alive
);
111 Auth::Config::parse(scheme
, n_configured
, param_str
);
115 Auth::Negotiate::Config::type() const
117 return Auth::Negotiate::Scheme::GetInstance()->type();
121 * Initialize helpers and the like for this auth scheme.
122 * Called AFTER parsing the config file
125 Auth::Negotiate::Config::init(Auth::Config
*)
127 if (authenticateProgram
) {
129 authnegotiate_initialised
= 1;
131 if (negotiateauthenticators
== NULL
)
132 negotiateauthenticators
= new statefulhelper("negotiateauthenticator");
134 if (!proxy_auth_cache
)
135 proxy_auth_cache
= hash_create((HASHCMP
*) strcmp
, 7921, hash_string
);
137 assert(proxy_auth_cache
);
139 negotiateauthenticators
->cmdline
= authenticateProgram
;
141 negotiateauthenticators
->childs
.updateLimits(authenticateChildren
);
143 negotiateauthenticators
->ipc_type
= IPC_STREAM
;
145 helperStatefulOpenServers(negotiateauthenticators
);
150 Auth::Negotiate::Config::registerWithCacheManager(void)
152 Mgr::RegisterAction("negotiateauthenticator",
153 "Negotiate User Authenticator Stats",
154 authenticateNegotiateStats
, 0, 1);
158 Auth::Negotiate::Config::active() const
160 return authnegotiate_initialised
== 1;
164 Auth::Negotiate::Config::configured() const
166 if (authenticateProgram
&& (authenticateChildren
.n_max
!= 0)) {
167 debugs(29, 9, HERE
<< "returning configured");
171 debugs(29, 9, HERE
<< "returning unconfigured");
175 /* Negotiate Scheme */
178 Auth::Negotiate::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request
, HttpReply
*rep
, Http::HdrType reqType
, HttpRequest
* request
)
180 if (!authenticateProgram
)
183 /* Need keep-alive */
184 if (!request
->flags
.proxyKeepalive
&& request
->flags
.mustKeepalive
)
187 /* New request, no user details */
188 if (auth_user_request
== NULL
) {
189 debugs(29, 9, HERE
<< "Sending type:" << reqType
<< " header: 'Negotiate'");
190 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate");
193 /* drop the connection */
194 rep
->header
.delByName("keep-alive");
195 request
->flags
.proxyKeepalive
= false;
198 Auth::Negotiate::UserRequest
*negotiate_request
= dynamic_cast<Auth::Negotiate::UserRequest
*>(auth_user_request
.getRaw());
199 assert(negotiate_request
!= NULL
);
201 switch (negotiate_request
->user()->credentials()) {
204 /* here it makes sense to drop the connection, as auth is
205 * tied to it, even if MAYBE the client could handle it - Kinkie */
206 rep
->header
.delByName("keep-alive");
207 request
->flags
.proxyKeepalive
= false;
211 /* Special case: authentication finished OK but disallowed by ACL.
212 * Need to start over to give the client another chance.
214 if (negotiate_request
->server_blob
) {
215 debugs(29, 9, HERE
<< "Sending type:" << reqType
<< " header: 'Negotiate " << negotiate_request
->server_blob
<< "'");
216 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate %s", negotiate_request
->server_blob
);
217 safe_free(negotiate_request
->server_blob
);
219 debugs(29, 9, HERE
<< "Connection authenticated");
220 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate");
224 case Auth::Unchecked
:
225 /* semantic change: do not drop the connection.
226 * 2.5 implementation used to keep it open - Kinkie */
227 debugs(29, 9, HERE
<< "Sending type:" << reqType
<< " header: 'Negotiate'");
228 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate");
231 case Auth::Handshake
:
232 /* we're waiting for a response from the client. Pass it the blob */
233 debugs(29, 9, HERE
<< "Sending type:" << reqType
<< " header: 'Negotiate " << negotiate_request
->server_blob
<< "'");
234 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate %s", negotiate_request
->server_blob
);
235 safe_free(negotiate_request
->server_blob
);
239 debugs(29, DBG_CRITICAL
, "ERROR: Negotiate auth fixHeader: state " << negotiate_request
->user()->credentials() << ".");
240 fatal("unexpected state in AuthenticateNegotiateFixErrorHeader.\n");
246 authenticateNegotiateStats(StoreEntry
* sentry
)
248 if (negotiateauthenticators
)
249 negotiateauthenticators
->packStatsInto(sentry
, "Negotiate Authenticator Statistics");
253 * Decode a Negotiate [Proxy-]Auth string, placing the results in the passed
254 * Auth_user structure.
256 Auth::UserRequest::Pointer
257 Auth::Negotiate::Config::decode(char const *proxy_auth
, const char *aRequestRealm
)
259 Auth::Negotiate::User
*newUser
= new Auth::Negotiate::User(Auth::Config::Find("negotiate"), aRequestRealm
);
260 Auth::UserRequest
*auth_user_request
= new Auth::Negotiate::UserRequest();
261 assert(auth_user_request
->user() == NULL
);
263 auth_user_request
->user(newUser
);
264 auth_user_request
->user()->auth_type
= Auth::AUTH_NEGOTIATE
;
266 auth_user_request
->user()->BuildUserKey(proxy_auth
, aRequestRealm
);
268 /* all we have to do is identify that it's Negotiate - the helper does the rest */
269 debugs(29, 9, HERE
<< "decode Negotiate authentication");
270 return auth_user_request
;